Описание
Security update for ntp
NTP was updated to 4.2.8p12 (bsc#1111853):
- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)
Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.
Список пакетов
SUSE Linux Enterprise Module for Legacy 15
Ссылки
- Link for SUSE-SU-2018:3386-1
- E-Mail link for SUSE-SU-2018:3386-1
- SUSE Security Ratings
- SUSE Bug 1083424
- SUSE Bug 1098531
- SUSE Bug 1111853
- SUSE CVE CVE-2018-12327 page
- SUSE CVE CVE-2018-7170 page
Описание
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.
Затронутые продукты
Ссылки
- CVE-2018-12327
- SUSE Bug 1098531
- SUSE Bug 1107887
- SUSE Bug 1111552
- SUSE Bug 1111853
- SUSE Bug 1155513
Описание
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
Затронутые продукты
Ссылки
- CVE-2018-7170
- SUSE Bug 1082210
- SUSE Bug 1083424
- SUSE Bug 1087324
- SUSE Bug 1098531
- SUSE Bug 1155513